DNSSec

2026-01-09T07:45:52Z

Jan:

How to setup DNSSEC with powerdns:

* Add dnssec to pdns.conf:
gpgsql-dnssec=yes

export ZONE=conti.work
sudo pdnsutil add-zone-key $ZONE zsk 1024 active rsasha256 #not really necessary
sudo pdnsutil add-zone-key $ZONE ksk 2048 active rsasha256 #not really necessary

Set nsec3 parameter [https://deepthought.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html]
sudo pdnsutil set-nsec3 $ZONE '1 0 10 db7fcd8a' #random 32bit number

sudo pdnsutil secure-zone $ZONE
sudo pdnsutil rectify-zone $ZONE

Upload public KSK ZSK [https://www.gandi.net/admin/domain/dnssec/5104640]
host -tDNSKEY $ZONE

Or alternatively use:
pdnsutil show-zone -v $ZONE
Zone is not presigned
Zone has hashed NSEC3 semantics, configuration: 1 0 10 db7fcd8a
keys:
ID = 9 (KSK), tag = 28394, algo = 8, bits = 2048 Active: 1 ( RSASHA256 )
KSK DNSKEY = jan-riechers.de IN DNSKEY 257 3 8 AwEAAeEIULkj4vOsQ9nIaY4CR752p/OoCeBcdTcuNS2oUSWoKeQqMMmdFpqbPN3hc/ujEPa+SpbtN5ETNPECBac9udTwMVqjwkkh6ICrvq2tbsZT5ZgJUm1RRy7QF8Tr6LRiO/D2t/BkagfJbWN14AexjZJI6COxMF11/9WDtYDWd7cKMeEDBMrIvmzX2n/jRG3KURVgeOWIMWs3o+AkQvDF04yQmvkY/mmJMagXnvlUnplh8HOwbcAg0f6FfWtGtX3te/wztW8faUzEfuTez++xizZGv3zngIi6M9XFkebfuPIieHTv7AcoZXA2xSteX+Ddr8+mxvCSyXx5k8j4IUSXnY8= ; ( RSASHA256 )
DS = jan-riechers.de IN DS 28394 8 1 dfa8d8c35c5af1dbb192aba146d3274f756213e9 ; ( SHA1 digest )
DS = jan-riechers.de IN DS 28394 8 2 fa266f2dd3ff5f62712e9b44409b118662437d45e35bb1eb479cc47ca15dee3e ; ( SHA256 digest )
DS = jan-riechers.de IN DS 28394 8 3 8b830659d1b26dd0daadba31e60ec4dc4a897bc6509261829739282543e9a302 ; ( GOST R 34.11-94 digest )
DS = jan-riechers.de IN DS 28394 8 4 fffa309489dbc02dd7bfa8778b052140231555f0e4878f6c0f42e87abfa107b8649454bbad6f8f63c7e1a756ce8ccb0e ; ( SHA-384 digest )

ID = 8 (ZSK), tag = 51729, algo = 8, bits = 1024 Active: 1 ( RSASHA256 )
ZSK DNSKEY = jan-riechers.de IN DNSKEY 256 3 8 AwEAAaXGpzGDhUeFLH5xsVoswIsIfY7+ulz9xPLGkk3Eb9aBDtOE2eom7SPYLVnOy6ERrO7xokn3jEbZazkkYFGAdK+vVCP/cniphbLHZ9lOOYcQEJAO/BXq6becX23Vf4sgGNJTuooLQOLrf9gEpq45cC8Ql+S4ik2AGh2rTqAMpqPt ; ( RSASHA256 )
DS = jan-riechers.de IN DS 51729 8 1 2eb7292556df740fc6c54b85e91d23a782f207b9 ; ( SHA1 digest )
DS = jan-riechers.de IN DS 51729 8 2 8fb689fb906d70540acb7684c1fc3f1315820e88fe0f5738a342773faf887aff ; ( SHA256 digest )
DS = jan-riechers.de IN DS 51729 8 3 3eedef52bc7fd2407b0a9ea3d21c81694b693c24a3500f60f1940869e11d83f6 ; ( GOST R 34.11-94 digest )
DS = jan-riechers.de IN DS 51729 8 4 a435e93d78ce0312dfedef29df3f9380780bb3aa5c101eaf01034f11269ca319238aecdd017cb156c366229621e0ab17 ; ( SHA-384 digest )

Check if it worked [http://dnsviz.net/d/conti.work/analyze/] or here [http://dnssec-debugger.verisignlabs.com/conti.work]

[https://doc.powerdns.com/md/authoritative/dnssec/]

To renew the certificate run on mail:
certbot --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns-rfc2136.ini renew

Adding DANE/TLSA record for mail server certificate verification or use this instead [https://www.huque.com/bin/gen_tlsa]

openssl x509 -in /etc/letsencrypt/live/mail3.conti.work/cert.pem -outform DER | openssl sha256

Add TLSA record to DNS:
_25._tcp.conti.work. IN TLSA 3 0 1 9bcd8c83d61e414bd5d935545637a2a98d3f38aaaf5ff9af415ddc574e28ae80

pdnsutil edit-zone jans.space

Alternative with just public key:
openssl s_client -showcerts -servername mail3.r-jan.de -connect mail3.r-jan.de:443 </dev/null 2>/dev/null | \
awk 'BEGIN { x=0;} /-----BEGIN CERTIFICATE-----/ { x++; } (x==1) {print;} /-----END CERTIFICATE-----/ {x++;}' | \
openssl x509 -noout -pubkey | openssl pkey -pubin -outform DER | openssl sha256
{| class="wikitable"
|_25._tcp.mail3 IN TLSA 3 1 1 0bbc34a70d015e83306ed3cdb6534e5e570cbdb4eec6af5585399ea499ab7c3a
|}

Howto [https://sys4.de/de/blog/2014/05/24/einen-tlsa-record-fuer-dane-mit-bind-9-publizieren/#den-tlsa-record-erstellen] and [http://www.internetsociety.org/deploy360/resources/dane/]

Verify with [http://www.internetsociety.org/deploy360/blog/2014/02/nist-offers-new-tool-to-verify-tlsa-records-for-dane-dnssec/]

For dynamic update setup zone with ALLOW-DNSUPDATE-FROM
pdnsutil set-meta $ZONE ALLOW-DNSUPDATE-FROM 172.16.0.0/15
pdnsutil set-meta $ZONE TSIG-ALLOW-DNSUPDATE dyndns
or

select id from domains where name='conti.work';
8
insert into domainmetadata (domain_id, kind, content) values(8, 'ALLOW-DNSUPDATE-FROM','172.16.0.0/16');
insert into domainmetadata (domain_id, kind, content) values (8, 'TSIG-ALLOW-DNSUPDATE', 'dyndns');

[https://doc.powerdns.com/md/authoritative/dnsupdate/]

To notify slaves use:
sudo pdnsutil set-meta r-jan.de ALSO-NOTIFY 185.181.104.96

ProxMox ZFS Setup

2023-01-01T11:29:55Z

Jan:

How to setup proxmox on Hetzner
* Boot into rescue image
* Download proxmox.iso
* Make sure to set keyboard to de with -k de
qemu-system-x86_64 -enable-kvm -smp 4 -m 4096 -boot d -cdrom ./px.iso -drive file=/dev/nvme0n1,format=raw,media=disk -drive file=/dev/nvme1n1,format=raw,media=disk -vnc 127.0.0.1:1 -k de

This can as well be used to restore the system.
* Partition Proxmox as needed and then go to console with Ctrl+Alt+F3
* Start ssh-agent
ssh-agent >ag.sh
. ./ag.sh
* Load ssh key for znapzend user
ssh -A riechers@riechers.info
ssh-add

#!/bin/bash
SNAPSHOT=2023-01-01-101501
for i in ROOT/pve-1 data docker-conf docker
do
ssh -A znapzend@riechers.info zfs send -R tank/backup/znapzend/hetzer/$i@$SNAPSHOT | zfs recv -v -u rpool/$i
done

ProxMox ZFS Setup

2023-01-01T11:17:53Z

Jan: Created page with "How to setup proxmox on Hetzner * Boot into rescue image * Download proxmox.iso * Make sure to set keyboard to de with -k de qemu-system-x86_64 -enable-kvm -smp 4 -m 4096 -boot d -cdrom ./px.iso -drive file=/dev/nvme0n1,format=raw,media=disk -drive file=/dev/nvme1n1,format=raw,media=disk -vnc 127.0.0.1:1 -k de"

Jan's Wiki - User contributions [en]

DNSSec

ProxMox ZFS Setup

ProxMox ZFS Setup